How to Deal With Keys
Jana Jaeger
Table of Contents
This article focuses on the achilles' heel of public key encryption - trusting in others and their signatures. The second part is a brief summary of the most important commands you need for handling keys under GPG.
Can Public Keys Really be Secure?
Powerful encryption programs like PGP or GPG do not necessarily constitute a guarantee for secure communication via e-mail. As long as one can not be sure a public key really belongs to the one designated as its owner, the whole system has a serious weak spot.
Building a Web of Trust
Building a network of people who trust each other in the sense that each one of them would only sign a public key that belongs to its real owner is a means to ensure that only trustworthy keys are being used. This sort of network is called a "web of trust". To sign a key, one partner encrypts it with his secret (also called private) key. The higher the amount of signatures by members of the web of trust under a certain key, the higher is the amount of trust that can be put into this key. As an alternative, signatures of a certification authority guarantee the authenticity of a key. These institutions need your ID card data in order to be able to vouch for your identity.
Fingerprints
How can I verify the identity of someone whom I can only reach by e-mail or phone? Is he really the one he pretends to be? Can I trust his public key? Fingerprints provide an answer to these questions. Both parties generate a hash value (a sort of check sum) over the key/s in question. Now they compare the hash values or the so-called fingerprints on a phone line. If the fingerprints prove to be identical the key is genuine and can be stored in the public key-ring. It is not very wise to compare fingerprints via e-mail as this would mean an exchange of highly sensitive security information via an insecure channel.
How Much do I Trust in a Signature?
After a public key has been signed, it can be stored in the key-ring file. How much trust is to be put into a certain key or its signatures can be controlled by the user himself. The number of signatures needed to call a key trustworthy is adjustable. In addition to that, the amount of trust in certain signers of a key is also adjustable. This value (so-called ownertrust value) ranges from "I don't know", "I do NOT trust" and "I trust marginally" to "I trust fully". Combining the trust value calculation with the adjusted number of signatures provides a means for GPG to evaluate the trustworthiness of this key.
In Practice ...
This section provides a short list of the most important commands of GPG. The GPG package is part of the SUSE LINUX distribution and can be found in the series sec (security).
Generating Keys
New pairs of keys (one secret and one public key) are generated by gpg --gen-key. The pair of algorithms used for de- and encryption should be set to DSA/ElGamal. The key length should be set to 1024 bit which is a good compromise between security and performance at this time (this may change with the availability of more powerful computer systems). In order to assign this key to its owner, his name, an optional comment and his e-mail address are needed. Finally, the private key is protected by a passphrase.
Exporting and Distributing Keys
The newly generated keys are exported by gpg --export [UID]. Without the addition of a userID, the whole key-ring will be exported. The output file is specified by the option -o [filename]. If the key is to be sent via e-mail the addition of -a or --armor may be useful. It creates an ASCII output. Distribution of keys can also be achieved by putting them on one's own home page, copying them into the .plan file, so they can be "fingered", or by putting them on a keyserver.
Importing Keys
New public keys can be added to one's own key-ring by gpg --import [filename].
Revoking Keys
For some reasons it may be necessary to revoke an old key (maybe its length is not sufficient any more, it leaked out, or the userID has changed). This is achieved by gpg --gen-revoke. To hinder other people from revoking one's own keys, this procedure requires the private key. Thus, it is practically impossible to revoke a secret key just because its passphrase has been forgotten, since one needs the passphrase and the secret key to revoke it. ... To avoid this situation, it is very wise to create a revocation certificate immediately after the creation of keys. This has to be kept secret either by saving it on a floppy disk or just printing it.
Key Management
Any information on the keys, their signatures and fingerprints is stored in the key-ring file. Ownertrust values are stored in a separate file. gpg --list-keys lists all keys in the public key-ring. By typing gpg --list-sigs their signatures are displayed. gpg --fingerprints shows their fingerprints. The keys in the secret key-ring are displayed when gpg --list-secret-keys is typed. Editing of a key is done by typing gpg --edit-key UID. Modifications of the passphrase and/or the expiry date of a key can be made with gpg --edit-key [option]. To delete keys from the public key-ring, type gpg --delete-key UID, to delete a key from the secret key-ring, type gpg --delete-secret-key.
Signing Keys
To sign a public key of someone else with your own signature, choose the key with gpg --edit-key UID and sign it with gpg -s (--sign).
Assigning Trust
Using gpg --edit-key trust different degrees of trust can be assigned to the signatures of a certain key. When using the option trust -1 no trust is assigned to this signature, trust -2 means "I do not know if I can trust this signature", trust -3 "I marginally trust this signature" and trust -4 "I fully trust this signature".
Further Information
Additional information can be found on the home page of the GnuPG project. A brief HOWTO can also be found there. Bruce Schneier's "Applied Cryptography, 2nd edition", published by Wiley & Sons, 1995 provides a deeper insight into the matter.
|
International
Contact 
